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Abstract. Techniques for the efficient successive under-approximation 
of the greatest fixpoint in TCTL formulas can be useful in fast refu- 
tation of inevitability properties and vacuity checking. We first give an 
integrated algorithmic framework for both under and over-approximate 
model-checking. We design the NZF (Non-Zeno Fairness) predicate, with 
a greatest fixpoint formulation, as a unified framework for the evaluation 
of formulas like BDryi, BDOtji, and BOD??!- We then prove the correctness 
of a new formulation for the characterization of the NZF predicate based 
on zone search and the least fixpoint evaluation. The new formulation 
then leads to the design of an evaluation algorithm, with the capability of 
successive under-approximation, for BDryi, BDO??!, and BOD?)!. We then 
present techniques to efficiently search for the zones and to speed up the 
under-approximate evaluation of those three formulas. Our experiments 
show that the techniques have significantly enhanced the verification 
performance against several benchmarks over exact model-checking. 
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1 Introduction 



The greatest fixpoint evaluation is useful in the verification of inevitability prop- 
erties and fairness assumptions of real-time systems [19,21]. In the before, peo- 
ple have researched on over- approximation techniques [12,21], that construct the 
characterization for a superset of the greatest fixpoint. But in practice, under- 
approximation techniques, that construct a subset of the greatest fixpoint, can 
also be useful. For example, we may want to verify a TCTL (Timed Computation 

* The work is partially supported by NSC, Taiwan, ROC under grants NSC 92-2213- E- 
002-103, NSC 92-2213-E-002-104, and by the System Verification Technology Project 
of Industrial Technology Research Institute, Taiwan, ROC (2004). 



Tree Logic) [2] inevitability property like VOfull which says "Along all compu- 
tations, our stomachs will eventually be full of nice food. " In model-checking, we 
actually try to prove the falsehood of its negation, or equivalently the emptiness 
of the state space characterized by BD-ifull. The evaluation procedure for the 
greatest fixpoints in TCTL in exact analysis is quite expensive [21]. In real- world 
system development, it is seldom the case that no design bug ever happens. On 
the contrary, it is quite possible that a long debugging process is needed in the 
early design stages. Thus not only we need techniques to prove correct inevitabil- 
ities, but also we are in need of techniques to fast refute incorrect inevitabilities. 
Efficient undcr-approximation techniques can serve to this purpose by quickly 
constructing a few counter-examples to the incorrect inevitabilities to make fast 
refutation. 

Under-approximation techniques for the greatest fixpoint evaluation can also 
be useful in the vacuity checking [4, 9] of system assumptions. For example, we 
may want to specify that "Whenever we are hungry, along all computations, 
eventually we will be full." In TCTL, this is Vn(hungry — > VOfull). But this 
property can be satisfied by a system model that either does not generate any 
computation or never gets into a hungry state. In the end, it is still the re- 
sponsibility of the verification engineers to check if a specification is vacuously 
satisfied because of the wrong modeling of the environment or the component 
interactions. Under-approximation can help in this case by quickly constructing 
a few example computations, if any, along which eventually hungry is true. 

Similarly, vacuous satisfaction can happen in the verification of properties 
with fairness assumptions. For example, we may specify that "// we are full in- 
finitely many times, then we eventually will not feel hungry. " Again, the property 
can be vacuously satisfied in a system that fills us only finitely many times. Be- 
fore evaluating the specification, we may first want to use under-approximation 
techniques to make sure that in the model, there are computations with infinitely 
many full states. 

In this work, we present techniques for the under-approximation of the great- 
est fixpoint evaluation in real-time systems with fairness assumptions. We pro- 
pose a predicate called NZF (Non-Zeno Fairness) as a unified framework for the 
evaluation of the greatest fixpoints for formulas like 30^, 3n'O0^, and BODt/)^ 
in a TCTL extension with the fairness concepts. In notations, the predicate is 
NZF{rio,r]i,T]2). A state i/q satisfies NZF{r]o,r]i,r]2) iflf starts a run along which 
Tyo is always true, ryi is eventually always true, and r]2 is true infinitely often. The 
evaluation of NZF{r]Q, ?7i, 772) consists of all states that go (through a path first 
satisfying tjq and then satisfying r]i) to some fair computation cycles such that 
the execution time along each cycle is no less than 1, rj^hrji is always true along 
the cycles, and 7^2 is true at least once along each cycle. For convenience, we 
call such a cycle an {rii,ri2)-NZF-cycle. A picture showing the states, run seg- 

^ This means that there is an infinite computation along which </!> is true infinitely 
many times. 

^ This means that there is an infinite computation along which cj) eventually becomes 
true forever. 
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Fig. 1. The run segments for NZF{rjo,Tji,ri2) 



ments, and cycles in the evaluation of an NZF{t]q, VItV^) predicate is in figure 1. 
According to [21], the evaluation of NZFQ needs a greatest fixpoint evaluation 
loop nesting a least fixpoint evaluation loop and is quite expensive. 

Given two set 7/1, ?/2 of states, let rch_bck(7]i, 772) be the predicate character- 
izing those states backwardly reachable from 772 through paths of states in 771 . In 
the literature, rch_bck() is evaluated as a least- fixpoint. (Details in section 5.) 
In this work, we propose the following new formulation for its evaluation: 

NZf{tJo, 771, 772) = Vc is a set of states in an (,,1 , r,2)-NZF-eycle. rch.bck(77o , rch.bck(77i , C) ) 

The formulation is based on the enumeration of state sets in NZF-cyclcs and 
only two least fixpoint evaluations for each state set in the enumeration. There 
are two advantages to this formulation. 

• It allows for successive under-approximation. After any iteration, if the ver- 
ification engineers see that either enough precision has been reached or too 
much computation resources have been consumed, she/he can terminate the 
enumeration. 

• It may seem that the policy of the NZF zone enumeration can greatly affect 
the efficiency to approach the fixpoint solution. In reality, our experiment 
data shows that the performance of this formulation can be very insensitive 
to the enumeration policy. As long as the NZF states fall in the backward 
reachability of a zone, it will be included in under-approximation. In a well- 
designed system, usually it is the case that most of the states are reachable 
from one another. In particular, we have established lemma 6 to show that 
in each iteration of the under-approximation, states in an NZ-cycle either all 
will be included in the under-approximation or none will. 

Since our new formulation can be insensitive to the policy of NZF-cycle state set 
enumeration, it is better to first enumerate those NZF-cycle state sets that can be 
efficiently constructed. We have developed two techniques for quick construction 
of the NZF-cycle state sets. Our experiment shows that our implementation can 
lead up to 1000+ times speed-up against some of the benchmarks. Moreover, in 
most cases, we succeeded in refuting the inevitabilities or proving vacuities after 
enumerating only one or two state sets. 
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Section 2 discusses related work. Section 3 reviews the mathematical models 
of our system behaviors. Section 4 extends TCTL [2] to TCTL°° to allow for 
the specification of fairness properties. Section 5 gives the background knowl- 
edge for reading this article. Then section 6 presents an algorithmic framework 
for both over-approximate and under-approximate model-checking of TCTL°° 
properties. Section 7 explains why the old formulation for NZF evaluation [21] 
is expensive. Section 8 presents our successive under-approximation algorithm, 
including the new theoretical formulation of the NZF evaluation and two tech- 
niques to construct characterizations of those states in the NZF-cycles. Section 9 
reports a speed-up technique, for our under-approximation algorithm, that does 
not sacrifice the precision of the greatest fixpoint evaluation. Section 10 reports 
our implementation and experiments. The experiment data shows significant 
enhancement over the exact analysis against several benchmarks. 

2 Related work 

The model of timed automata (TA) was by Alur and Dill [3]. TCTL and its 
model-checking algorithm was by Alur. Cocoubetis. and Dill [2]. Symbolic model- 
checking algorithm based on zones was by Henzingcr et al [8] . 

Wong-Toi presented a general framework for the approximate verification of 
TAs [22] . Especially, the convex- hull over-approximation has been shown a very 
powerful technique in many following workpieces. 

MoUcr applied over-approximation techniques to analyze restricted TCTL 
inevitability properties without modal-formula nesting [12]. The idea was to 
make model augmentations to speed up the verification performance. 

Wang and et al discussed how to speed up the greatest fixpoint evaluation in 
TCTL [21]. Other than the over- approximation, they also presented a speed-up 
technique called EDGF (Early Decision on Greatest Fixpoint) which yields exact 
analysis results. The idea is that inevitability analysis usually takes the form of 
Vn(p — > y(}q), which after negation for model-checking, becomes the reachability 
of p A 3D^q. While evaluating the greatest fixpoint of 3C\^q, the image of the 
greatest fixpoint monotonically shrinks in successive iterations. Thus when we 
find the intersection between p and the image is empty at a particular iteration, 
we can terminate the fixpoint evaluation rightaway. Note that EDGF speeds up 
the verification only when an inevitability is correct. When an inevitability is 
incorrect, it shows no performance enhancement. 

Wang extended TCTL with the capability of punctual event specifications 
and multiple strong and weak fairness assumptions [19]. The evaluation algo- 
rithm of those fairness assumptions was based on the greatest fixpoint evalua- 
tion. 

3 Timed automatas 

We use the widely accepted model of timed automata (TA) [3] to describe the 
transitions in dense-time state-spaces. A TA is a finite-state automata equipped 
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with a finite set of clocks which can hold nonnegative real- values. At any moment, 
the TA can stay in only one mode (or control location). Each mode is labeled 
with an invariance condition on clocks. At any instant, at most one transition 
can be fired if its triggering condition is satisfied. Upon the firing, the automata 
instantaneously transits from one mode to another and resets some clocks to 
zero. In between transitions, all clocks increase their readings at a uniform rate. 

For convenience, given a set P of atomic propositions and a set X of clocks, 
we use B{P,X) as the set of all Boolean combinations of atoms of the forms p 
and a; ~ c where p G P, x G X U {0}, "~" is one of <, <, =, >, >, and c is an 
integer constant. 

Definition 1. timed automata (TA) A TA A is given as a tuple 
{X,Q, I, fi, E,^,T,Tr) with the following restrictions. X is a finite set of clocks. 
Q is a finite set of modes. / g B{Q, X) is the initial condition, fi : Q t-^ B{^, X) 
defines the conjunctive invariance condition of each mode. E is the finite set 
of transitions, j : E i-^ {Q x Q) defines the source and the destination modes 
of each transition, t : E B{^,X) and tt : E i-^ 2-^ respectively defines the 
conjunctive triggering condition and the clock set to reset of each transition. ■ 

Definition 2. states A state ly of TA A ~ (X, Q, I, /i, E, 7, t, tt) is a valuation 
from Q U X such that for all q € Q, v{q) G {false, true} and for all x € X, 
^{x) € Tl'^, the set of nonnegative real numbers. The restriction is that there is 
at most one q € Q such that v{q) is true. ■ 

Definition 3. Satisfaction of state predicates We say a state satisfies a 
state predicate rj e B{P, X), where P is either or Q, iff the following inductive 
conditions are satisfied. 

• h 9 iff i^iq); 

• V \== X ^ c iS v{x) ^ c; 

• h ^1 V ?72 iff (9, v) 1= rji or (q, v) |= 772; 

• V ^ -irji iff it is not the case that v \^ rji. M 
For any 6 G 72,+ , v + 6 is a. new state identical to f except that for every x G X, 
i'{x) + 5 = {ly + S){x). Given X C X, vX is a new state identical to v except 
that for every x G X, vX{x) = 0. Given q E Q, vq is identical to v except that 
u{q) = true. 

Definition 4. runs Given a TA A = {X, Q, I, fj., E, 7, r, tt), a run is an infinite 
computation of A along which time diverges. Formally speaking, a run is an 
infinite sequence of state-time pairs {vq, io)(j'i7 ^i) ■ • ■ (i^fe, ^fe) such that 

• tfjti . . .tk is a monotonically increasing divergent real-number sequence, 

i.e., Vc G Af, 3h > l,th > c; and 

• Invariance condition: for all fc > 0, (5 G [0, tk+i — t^], and q G Q, i^k + 5 \= 
li{q) iff Vk h mI?); and 

• Transitions: for all k > 0, either 

— a null transition happens, i.e., Vk + (tfe+i — tk) = i^k+i', or 

— a discrete transition e happens, denoted qk qk+i for some e G E 
such that 7(e) = {qk,qk+i)/\Vk h K<lk)/\Vk+i \= /i(9fc-l-i)- The constraint 
is that Uk + tk+i -tk\= r(e), and {uk + t/c+i - tk)'rT{e)qk+i = i^k+i- ■ 
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4 TCTL 
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TCTL°° is an extension of TCTL [2] and has the following syntax rules. 

g I x ~ c I 01 V 02 I -01 I x4i \ 30iW02 | 3001 | 30001 | 3nO0i 

Here g £ Q, x G X, c £ N. 0i and 02 are TCTL°° formulas, x.0 means that if 
there is a clock x with reading zero now, then is satisfied. 30ii^02 means that 
there exists a computation along which 0i is true until 02 happens. 3001 means 
that there is a computation along which 0i is true in every state. 3nO0i means 
that there is a computation along which 0i is true infinitely often. 30001 means 
that there is a computation along which 0i will be stable eventually. Sometimes, 
□0 is written as 0°° while OQ as 0°° in the literature. Also we adopt the 
following standard shorthands : 

• true for = • false for -itrue 

• 01 A 02 for -'((-'0l) V (-'02)) • 01 ^ 02 for (-i0l) V 02 



• V0iW02 for ^((3(^02)^^^(01 V 02)) V (30^02)) • VO01 for MtrudAcpx 



Definition 5. (Satisfaction of TCTL°° formulas): We write in notations 
Aji^i ^0 to mean that TCTL°° formula is satisfied at state vi in TA A. The 
satisfaction relation is defined inductively as follows. 

• When 77 £ B{Q,X), A,vi \= 77 iff vi \= rj, which was previously defined in 
the beginning of section 3. 

• A, z^i ^ 01 V 02 iff either A, ui ^ 0i or A, ui \= 4>2- 

• A,vi\= -101 iff A, vi ^ 01. 

• A,vi\= x.(j> iff A, i^iix} ^ 0. 

• A, i^i 1= 301^^02 iff there exists a run p = (vi, ti)(z^2, ^2) • • • and an i > 1 such 
that A, Vi 02 and for every < j < i and 5 £ [0, tj+i —tj], A, i/j + 5 |= 0i . 

• A^vi\= 3001 iff there exists a run p = [vi, ti)(i/2, ^2) ■ • ■ such that for every 
i>l and 5 £ [0, t^+i ~ ti], A,Vi + 5 H 0i- 

• A, i^i 1= 30001 iff there exist a run p ~ {vi, ii)(i^2, ^2) • ■ • and an infinite and 
divergent positive integer sequence 11^2 . . .ik . ■ . such that for every k > 1, 

• AjVi \= 30001 iff there exist a run p = (j^i, <i)(!^2, ^2) • ■ • and fc > 1 such 
that for every i > k and S £ [0, <i+i ^ ti], A,iyi+d ^ 0i. 

A TA A = {X, Q, I, p, E, 7, T, tt) satisfies a TCTL^ formula 0, in symbols A ^ 0, 
iff for every state i^o |= I, A, uq ^ (p. ■ 

5 Basic building blocks from the literature 

For convenience, let Z be the set of integers. Given c > and c £ Z, let Tc be 
{00} L) {d \ d & Z; ~c < d < c} . Also let Ca-.^, be the biggest timing constant 
used in TA A and TCTL°° formula 0. 

Most modern model-checkers for timed systems are built around some sym- 
bolic manipulation procedures [8] of zones implemented in various data-structures 



• 3001 for 3true U(pi 



• Vn0i for -30-01 



• VnO0i for -3On-0i 



• VOn0i for -300-01 



6 



[1,5,6,10,11,14,15]. A zone is symbolically represented by a set of difference con- 
straints between clock pairs. Formally, a zone is a conjunction of constraints like 
x~x' ^ d, with x,x' e XLl{0}, {"<", "<"}, and d £ Ica:^,^ such that when 
d = oo, ~ must be "<". For convenience, let Be = {{^,d) {"<", "<"};(i G 
Xc',d = oo "<"}. With respect to given X and (7^:0, the set of all zones 

is finite. Alternatively, a zone can be defined as a mapping {X U {0})^ ^ ^Ca ,p- 
Wc shall use the two equivalent notations flexibly. 

We need two basic procedures, one for the computation of weakest pre- 
conditions of discrete transitions and the other for those of backward time- 
progressions. Details about the two procedures can be found in [8,14-17,20]. 
Given a state-space representation r/ (as a union of zones) and a discrete tran- 
sition e, the first procedure, xtion_bck(77, e) with 7(e) = {q,q'), computes the 
weakest precondition 

• in which every state satisfies the invariance condition fJ.{q)] and 

• from which we can transit to states in r/ through e. 

r] can be represented as a DBM set [6] or as a BDD-likc data-structure [14, 16, 18]. 
Our algorithms arc independent of the representation scheme of 77. The second 
procedure, time_bck(77), computes the space representation of states 

• from which we can go to states in 77 simply by time-passage; and 

• every state in the time-passage also satisfies the invariance condition imposed 
by fi{) for whatever modes the states are in. 

We can go from zone rji to another zone r]2 in one time-progress step iff r/i C 
time_bck(772) and in one discrete transition step iff 3e G E{rii C xtion_bck(7^2, e)) 
A zone sequence ?7i7?2 ■ • ■ '7fc corresponds to a finite segment of computation iff 
for every 1 < i < k, either r]i C time_bck(?7i+i) or rji C xtion_bck(7/i_|-i). 

With the two basic procedures, we can construct the symbolic backward 
reachability procedure, denoted rch_bck(7]i, 772) for convenience, as in [8,14-17, 
20]. Intuitively, rch_bck(r/i, 772) characterizes the state-space for 3rjilAr]2- Com- 
putationally, rch_bck(77i, 772) can be defined as the least fixpoint of equation: F = 
772 V (771 A time_bck(7/i A VeeE ^))) • That is, rch_bck(77i, 7^2) = 

IfpF. (772 V (?7i A time_bck(7^i A V^^g xtion_bck(F, e)))) . The least fixpoint is 
computable because of the monotonicity of F in fixpoint equation F = A{F) 
and the finite structure of a zone space. 

To calculate the weakest precondition before a clock reset, we also need a 
partial implementation of the Fourier-Motzkin elimination [7] . We assume that 
we have such a procedure FM_elim(77, {x}) which eliminates all information in 
state-predicate 77 related to x. 

6 Abstract model-checking algorithm 

The key component in our abstract model-checking algorithm is for the approx- 
imate construction of the symbolic representations of states that satisfy one of 
the following three types of properties: BD^i, 3D(}4>i, and 3()\I\(j)i. We can now 
establish the following lemmas within the context of a given state of a TA A. 
Due to page- limit, the proofs are omitted. 
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Lemma 1. A,i^\=3Dipi iff A, \='NZF{tpi,tpi, true). 



Lemma 2. A, |= 3nOV'i iffA'^h NZF(true, true, i/'i)- ■ 

Lemma 3. A,u ^ BODV'i ijf A,iy^ NZF(true, -01, true). ■ 
The three lemmas together show that the evaluation of A^Z_F(?/o, ?7i, ^72) can 
be used as a unified scheme to evaluate these three types of the properties. 

We are about to give a framework of abstract model-checking algorithm 
that is capable of doing both under and over-approximations. In general, over- 
approximation can be done in various ways [21.22], e.g. the convex-hull approx- 
imation. In the following sections, we focus on how to do under-approximation of 
NZF{). For the time being, we assume that there is a procedure called 
NZF(?7o, 771, ^72, f lagyi) capable of calculating the approximation of 
NZF{r]o,r]i.,ri2). Here, input flag flagA is used to choose the approximation 
scheme. When f lag^i is -1, it means under-approximation; 0, no approximation; 
and 1, over- approximation. 

The following evaluation algorithm uses NZF() and the procedures presented 
in the last section as basic blocks to evaluate TCTL°° formulas. 



eval(yl, 0, flagA) { 
switch (0) { 

case (false): return false; 
case (g): return q; 

case (x ~ c): return 2; ~ c; ; 

case {(j>i V (j>2): return val(yl, (t>i, f lag^) V evsLl{A, 02, f lag^); 
case (^<^i): return -ieval(A, </>!, — 1 * f lagA); 
case {x.(j)i): return FM_elim(x = A eval(A, f lagA), {a::}); 
case (3(j}iU(j}2): Yi := eval(A, 01, f lag^); 

Y2 := eval(A, 02, f lagA) A liZF(true, true, true, f lag^); 

return rch_bck(yi, I2); 
case (3n0i): W := eval(A, 0i, f lagA); return NZF(W, W, true, f lagA)); 
case (3nO0i): W := eval(A, 4>i, f lagA); return NZF(triie, true, W, f lagA)); 
case (3On0i): W := eval(A, 0i, f lag4); return NZF(trMe, W, true, f lagA)); 
} 



The correctness of the algorithm can be established with the following lemma. 

Lemma 4. Suppose we have a correct implementation for 
NZF(77o, rji, ri2, f lag^i). Procedure eval(A, (j), f lag^i) yields an under-approximation 
of (f> when flag^i = —1; an exact evaluation when flag^ = 0; and an over- 
approximation of 4> when flag^ = 1. ■ 
Then in exact analysis of model-checking, TA A satisfies TCTL°° formula 

iff / A eval(yl, 0) is false. In over-approximation, A does not satisfy if 

1 A eval(A, -10, —1) is not false. In under-approximation, A satisfies if / A 
eval(A, -10, 1) is false. 
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7 Formulation for NZF evaluation in the literature 

In the following, wc discuss paths and cycles of zones. A finite zone path along 
which all zones satisfy rji is called an rji-path. Infinite computations can be 
formulated as non-Zeno cycles (or strongly connected components) of zones such 
that the execution times of the cycles are at least 1. 

According to [19], a formulation of NZF{rio, ?7i, 772) evaluation is 

rch_bck(77o,rch_bck(77i,gfpF.3z.(2 = A 772 A rch_bck(77i, z > Ca-.^, A F)))) (1) 

Here gf p means the greatest fixpoint. gfpF.A{F) specifies the greatest fixpoint 
of A{). Clock z is used to cheek if the cycle time is no less than 1. Formulation 
(1) involves a double loop and two single loops in implementation.'^ The double 
loop evaluates the (ryi, 772)-NZF-cycles and is as follows. 

g,fpF.3z.{z = A 772 A rch_bck(7yi, z > 1 A i^)) (2) 

The inner loop (i.e., rch_bck(7/i, z > 1 A F)) of the double loop is for the least 
fixpoint evaluation of an 771-path that starts with a zone satisfying 772. The 
outer loop of the double loop is for the greatest fixpoint evaluation of an NZF- 
cycle through checking whether the starting and the ending zones of the 771- 
path yielded from the inner cycle coincide. Then after the double loop has been 
executed, the two outmost invocations of rch_bck() in (1) incurs two single-loop 
executions to calculate a predicate that characterizes every zone Co in figure 1, 
i.e., the set of states starting an 770-path to zone Ci that starts an 771-path to an 
(771, 772)-NZF-cycles. 

As reported in [21], the double loop in formulation (1) dominates the com- 
plexity and can result in very expensive computations. 

8 Successive under-approximation of NZF{) 

In the following, we first present a new formulation for the NZF evaluation based 
on zone searching and least fixpoint evaluation. Then we propose techniques for 
zone searching in subsections 8.2 and 8.3. Finally, we integrate the ingredients 
to present a successive under-approximation algorithm for NZF{). 

8.1 Another formulation of NZF evaluation 

The basic idea of our under-approximate evaluation of NZF{) is the following. If 
somehow we know that a particular zone d is in an (771, 772)-NZF-cycle, then we 
can readily do rch_bck(77o, rch_bck(77i, (^1)) to characterize a set of states that 
satisfy NZF{t]o, 771 , 772). If we can make a good guess for such , then it is possible 
that rch_bck(7;o, rch_bck(77i, Ci)) could turn out to be a big chunk of the exact 
evaluation of NZF{riQ, 771, 772). Then a few such good guesses could give us a very 

^ An invocation of rch_bck() is executed as a loop. An evaluation of the greatest 
fixpoint also incurs a loop execution. 
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precise under- approximation of the greatest fixpoint. The idea can be formahzed 
as the following new formulation of NZF{) evaluation. For convenience, a zone 
is called an {rji,rj2)-NZF-zone if it is in an (771, 772)-NZF-cycle. 

Lemma 5. NZF(??o, '72) = Vc ^s an (^1. r,2)-W2F-zone. ^=h.bck(?7o, rch.bck(?7i, C)). 

■ 

Proof of the lemma can be found in appendix A. 

8.2 Fair zones without upper bounds in the cycle 

First, we can check those zones characterized by ?7i A 772. If there are such zones 
that have no upper bounds on all clock readings, then these zones constitute 
self-cycle with arbitrary execution times. Such a zone, say C,, are characterized 
by the following condition: Vx G X, 0) = (<, 00). The argument for guessing 
the existence of such zones is that in many embedded systems, for example the 
communication protocols, there usually are the idle modes which the systems 
repeatedly enter after a communication session. In such idle modes, the systems 
usually wait without time-bounds until some events happen. Thus it is very 
likely that such idle modes may exist in the system descriptions. Furthermore, 
we do not have to run the expensive double loop in formulation (1) to check 
the non-Zenoness of the self-cycle. As we will see in the experiment report, this 
strategy indeed can alone lead to under-approximation precise enough for the 
refutation of many benchmarks. 

Assume that 771 A 772 = Vi<fc<n Cfci ^ disjunction of n zones, the union of 
all zones without upper bounds on all clocks in 771 A 772 can be constructed with 
the following procedure. 

get_zones_wo_upperbounds(Ci V . . . V C«) = Vi<fc<„;Vxex,a(^,o)=«,oo) Cfc 

8.3 Searching for non-Zeno cycles from fair zones 

get_zones_wo_upperbounds() represents an efhcient way to find some specific 
zones in the (771, 772)-NZF-cycles. But it may also happen that the clock readings 
in the fair zones in an NZF-cycle arc upwardly bounded. In this case, we can 
resort to the strongly connected component algorithm to search for the NZF- 
cycles. Since the existence of a fair zone (one that satisfies 772) is a necessary 
condition for NZF-cycles, we can start the search right from fair zones. The 
following procedure returns a fair zone in an NZF-cyclc along which the cycle 
time is no less than 1. 



get_a_zone_wJ3FS(77i, 772) { 

While rii A 772 is not empty, do { 
Find a zone C in 771 A 772 ; 

Use depth-first search in 771 to find a path tliat (3) 

• both starts and ends at C,\ and 

• the path time is no less than 1. 
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If the path in statement (3) exists, return else rji := r;i A -i^; 

} 

return false; 

} 



8.4 Algorithm for successive under-approximation 

The formulation in lemma 5 does not suggest any particular methods to manage 
the evaluation process. However, if we have a policy to generate zone descriptions 
7^1, . . . ,77„ one by one in succession, then we can evaluate NZF{T]o,r]i,ri2) with 
successive under-approximation. In the following, we use lemma 5 and the two 
guessing techniques in subsections 8.2 and 8.3 to construct an algorithm to 
embody the idea. In particular, we use the number of enumeration iterations as 
the level of approximation to control the resource consumption and evaluation 
precision. The higher level of approximation is demanded, the more resources is 
consumed and the better evaluation precision could be achieved. 

NZF_successive_uapprox(77o, 771, ??2, feiieZ) /* level > */ { 

77 := rch_bck(7;o, rch_bck(r;i, get_zones_wo_upperbounds(ryi A 7?2))); 7?i := J?! A ^77; 
for {I ■-l;l< level; I := I + 1) { 

:= get_a_zone_w_DFS(r;i , 772); 77 ~ 77Vrch_bck(77o, rch_bck(r;i, i^)); rji ;= 771 A-i("; 

} 

return rj; 

} 



We choose to use get_zones_wo_upperbounds() to generate the starting NZF- 
zones at level because intuitively, it is in general much less expensive to run 
get_zones_wo_upperbounds() than get_a_zone_w_DFS(). 

9 speed-up in iterative searches for NZF zones 

After each iteration of procedure NZF_successive_aapprox() in subsection 8.4, 
we remove an NZF-zone from the search space to avoid redundant searching. 
This removal takes place at the end of lines 2 and 4 in the procedure. It is 
possible to prune the search space in bigger chunks. Specifically, two NZF-zones 
that belong to the same NZF-cyclc may be used in two iterations to start the 
search in NZF_successive_uapprox(). Suppose the two zones arc ^' used in 
this order. Then (' C rch_bck(r7i, ^) and ( C rch_bck(77i, ^'). Thus there is 
no need to make a new round of depth-first search from . In fact, we can 
establish the following lemma which can give us a sufficient condition leading to 
the significant pruning of the iterative search spaces. 

Lemma 6. Given three zones Co, Ci; '^i^d, C2 such that Ci and ctre in the same 
{r]i,J]2)-NZF-eycle, if (1 C rch_bck(77i, Co)) then (2 Q rch_bck(77i, Co)- • 
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Proof of the lemma can be found in appendix B. Lemma 6 implies that we 
do not have to seareh through any states in rch_bck(77i, Co) after the iteration 
with Co as the search start. This leads to the following revision of procedure 
NZF_successive_uapprox(). 



NZF_successive_uapprox_big_chmiks(ryo, 771, r;2, ^eue/) /* level>0*/ { 
rj := rch_bck(77i , get_zones_wo_upperbouiids(77i A 7/2)); 771 ^1 ~ ti\ 
rj := rch_bck(r7o,77); 
for {I ■-l;l< level; /:=/ + !){ 

C := rch_bck(r;i,get_a_zone_wJ3FS(77i,r;2)); rji := rji — 

r)-— -qW rch_bck(r7o, C); 

} 

return 77; 

} 



10 Implementation and experiment 

We have implemented the ideas in our model-checker/simulator, RED version 
5.4, for communicating timed automatas [13]. RED uses the new BDD-like data- 
structure, CRD (Clock- Restriction Diagram) [16-18], and supports both for- 
ward and backward analyses, full TCTL model-checking with event constraints 
and multiple fairness assumptions [19], deadlock detection, and counter-example 
generation. We here report our experiments with the following seven parame- 
terized benchmarks. The details of the benchmarks and their running options 
can be found in appendix C. The experiment result is shown in table 1. For 
each of the benchmarks, we have collected data with exact analysis and under- 
approximation in greatest fixpoint evaluation with or without the speed-up tech- 
nique. For each run, we report the CPU time (for model-checking only), memory 
size, and the level of under-approximation needed for the verification. For all the 
benchmarks, our under-approximation techniques show significant enhancement 
over the exact analysis. For example, for benchmark (F), the performance can 
be a thousand times better. 

Also the experiment outcome shows a good promise that our under-approximation 
formulation may be able to quickly refute specifications and prove vacuity. Most 
of the benchmarks can be verified with under-approximation of level zero or one. 

11 Conclusion 

We investigate how to use under-approximation to fast refute incorrect inevitabil- 
ities and to check vacuous satisfaction in dense-time models. Experiment results 
showed that our techniques had significantly enhanced the performance of our 
model-checker against several benchmarks. In the future, we feel that such tech- 
niques could be useful in industrial projects. 
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benchmarks 


concurrency 


exact 
f time ^space^ 


under-approximation 
(time / space/level) 


no speed-up 


speed-up 


(A) Fischer's 

bounded 

waiting 


1 — ^ ; r 

2 proc s 


v. 1 IS/ oUK 


U.UOS/ ±OK/U 




3 proc's 


Z.DoS / i4:DK 


0.34s/73k/C 


0.32s/73k/C 


4 proc's 


28.5s/580k 


2.27s/324k/r 


2.24s/324k/C 


5 proc's 


275.1s/2656k 


14.71s/1335k/r 


14.84s/1335k/C 


(B) Fischer's 
progress 
w, a bug 


2 proc s 


U. IZS / Z IK 




n 04s /I Rk /I 


3 proc's 


1 . yoS / oDK 


0.36s/60k/] 


0.34s/60k/l 


4 proc's 


21.98s/3541i 


2.75s/225k/] 


2.83s/225k/l 


5 proc's 


215.0s/1543k 


22. 46s/ 873k/] 


22.27s/873k/l 


(C) CSMA/CD 

bounded 

waiting 


2 senders 


9 77t! /II fib- 


n /lo.-./T/ib/'" 
U.4oS/ / '±K/ ^ 


U.44S/ 1 OK/ 1 


3 senders 


70 O^c. /0/1 lb 
( o.y i 8/ y4ZK 


4.58s/150k/5 


3.12s/129k/l 


4 senders 


lODUS/ 'iDoDK 


o ^ irir^ /QC£;b / 
ol.lUS/oDOK/ 


"Ty tjn^ / 'Tool. / I 

z * .oys / zyzK / 1 


5 senders 


> 8600s 


4 f o. is/ iUioK/ 


zi4.ys/ooOK/ 1 


(D) CSMA/CD 
progress of 
retrials w. a bug 


2 senders 


0.32s/34k 


0.12s/34k/r 


0.11s/34k/0 


3 senders 


4.47s/98k 


i.bls/byk/l 


1.47s/b9k/L 


4 senders 


33.28s/316k 


11.96s/186k/C 


11.99s/186k/C 


5 senders 


jSZU. ys / oo^lK 


8U.4;s/D9bk/l 


■7*7 T~7.^ /COCI. /r 

( i . i / s/ 09bK / L 


(E) FDDI token 
ring vacuity 


2 stations 


2.88s/305k 


0.04s/42k/] 


0.06s/42k/l 


3 stations 


152.15s/3108k 


0.29s/119k/] 


0.30s/119k/l 


4 stations 


> 1200s 


2.15s/617k/] 


2.27s/618k/l 


5 stations 


> 1200s 


70.78s/9574k/] 


71.10s/9571k/l 


(F) PATHOS 
scheduling 
inevitable 
fairness 


2 proc's 


O.Ols/lOk 


« Os/lOk/C 


Os/lOk/0 


3 proc's 


0.22s/58k 


0.03s/24k/C 


0.04s/24k/C 


4 proc's 


10.72s/1181k 


0.13s/61k/r 


0.15s/61k/C 


5 proc's 


1280s/39076k 


0.60s/192k/r 


0.61s/192k/C 


6 proc's 


N/A 


2.17s/601k/r 


2.10s/601k/C 


7 proc's 


N/A 


6.44s/1813k/r 


6.51s/1813k/C 


8 proc's 


N/A 


20.19s/5253k/C 


20.17s/5253k/C 


9 proc's 


N/A 


62.02s/14632k/C 


66.30s/14632k/C 


(G) Bluetooth 

(H) L2CAP 
(I) 

(J) 
(K) 

(L) 
(M) 
(N) 
(O) 


9 proes 


228.9s/1886k 


3.5.98s/1280k/r 


36.36s/1280k/0 


9 proes 


233.4s/1887k 


40.76s/1280k/C 


41.21s/1280k/C 


9 proes 


262.0s/1913k 


29.77s/143.5k/C 


29.71s/1435k/C 


9 proes 


467.8s/2235k 


57.91s/1317k/C 


56.93s/1317k/C 


9 proes 


480.7s/2135k 


67.66s/1332k/r 


71.56s/1332k/C 


9 proes 


476.2s/2136k 


51..59s/1437k/C 


52.97s/1437k/C 


9 proes 


250.0s/1887k 


52.34s/1280k/C 


52.89s/1280k/C 


9 proes 


251.9s/1888k 


60.12s/1281k/C 


55.19s/1281k/C 


9 proes 


280.6s/1913k 


44.59s/1434k/C 


44.98s/1434k/C 



data collected on a Pentium 4 Mobile 1.6GHz with 256MB memory running LINUX; 
s: seconds: k: kilobytes of memory in data-structure: N/A: not available; 



Table 1. Performance data of model-checking algorithms 
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APPENDIX 

A Proof for lemma 5 

We first assume that there is a state v ^ NZF{r]o, ?7i, 772). This means that there 
are two states vi and 1^2 in a run such that (1) vi and 1^2 belong to the same 
zone; (2) vi and V2 both satisfy r]2] (3) zones along the run segment from vi to V2 
all satisfy 771; (4) time-passage of the run segment is no less than 1; and (5) the 
run segment from v to vi is concatenated from two run segments such that the 
states in the first and the second segments respectively satisfy 770 and 771. Then 
the finite run segment from vi to 1^2 can be projected to an (771, 772)-NZF-cycle. 
Thus the zone of z^i, say Q' , is an (771, 772)-NZF-zone. Then condition (5) in the 
above implies that there is an 770-path concatenated with an 771-path from the 
zone of V to C'- Thus we know that v \= rch_bck(7yo, rch_bck(r/i, C')). 

Now we assume that there is a state v \= rch_bck(7;o, rch_bck(77i, ^')) for a 
particular (771, 772)-NZF-zone Q' . This means that there is an 770-path from the 
zone of V to another which in turn starts an r?i-path to the (771, 7/2)-NZF-cycle 
which C,' belongs to. These 770-path, 771-path, and the (771, 772)-NZF-cycle together 
can be unrolled to an infinite zone path along which 770 is true until rji becomes 
true forever and 772 is true infinitely often. Since this unrolled infinite zone path 
is constructed in a backward analysis and v is in the zone starting the path, we 
deduce that v also starts a run that satisfies 770 until 771 is true forever and 772 is 
true infinitely often. This means v \= NZF{riQ,r]i,r]2). 

B Proof for lemma 6 

We need to prove that there is an 771-path P from C2 to Co- Since Ci C rch_bck(7/i , (q), 
there is an 771-path Pi from to Co- Since Ci and C2 are in the same (771,772)- 
NZF-cycle, there is also an 771-path P2 from (2 to Ci- Thus an example of P is 
the concatenation of P2 and Pi. 

C Experiment and benchmarks 

Our tool RED can be downloaded for free at http://cc.cc. ntu.edu.twZ-val. To 
run the tool, simply type "red [-options] (inputf ilensmie) (outputf ilename)" 
in LINUX. To invoke the under-approximation. please use option '-Au'; and over- 
approximation, please use option '-Ao.' 

To enforce the non-Zcno requirement on computations, please use use option 
'-Z.' 

To invoke greatest under-approximation of level d, please use option 'Gd.' 
Note that if this option is invoked while the subformula is to be evaluated with 
over-approximation, then exact analysis will instead be carried out. 

To invoke the speed-up technique, please use option 'Gc' 
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While we describe the following benchmarks, we shall also list the options 
used. 

(A) Bounded waiting of Fischer's mutual exclusion algorithm. The algorithm 
uses a global pointer variable and a local clock of each process to guarantee 
the mutual exclusion to the critical section. The algorithm does not guaran- 
tee that a process in the ready state will eventually enter the critical section. 
We want to refute the following specification Vn(readyj^ VOcriticali) 
that is not true of the algorithm. Here ready^ and criticali arc the propo- 
sitions respectively marking that process i is in the ready and the critical 
states. 

The input file names are like hfitb.d where i is the number processes. For 
exact analysis, we use option '-Z.' For under-approximation, we use options 
'-AoGdO (without the speed-up technique) and '-AoGcGdO' (with the speed- 
up technique). 

(B) Progress of Fischer's algorithm with a bug. We inserted a bug in the Fischer's 
mutual exclusion algorithm so that processes may prevent each other from 
the critical section. We want to refute the following property 

Vn(readyj^ — > V03i, critical^) 
saying that if a process wants to enter the critical section, then eventually 
some process will be in the critical section. The bug invalidates the property. 
The input file names are like hfierr.d where i is the number processes. For 
exact analysis, we use option '-Z.' For under-approximation, we use options 
'-AoGdl (without the speed-up technique) and '-AoGcGdl' (with the speed- 
up technique). 

(C) Bounded waiting of CSMA/CD mutual exclusion algorithm. CSMA/CD as- 
sumes that all senders share the same bus. Each of them can send a message 
to the bus when it finds no signals in the bus. But if in 52/is it finds its 
message has been corrupted, then it has to stop sending the message and 
retry later. We want to refute the following bounded waiting property 

Vn(transmi — > VO(transmi A xi > 52)) 
that is not guaranteed in CSMA/CD. Here proposition trcinsmi means that 
process i is sending out a message and Xi is the local clock of process i. 
The input file names are like hcdiaf .d where i is the number processes. For 
exact analysis, we use option '-Z.' For under-approximation without speed- 
up, we use options '-AoGd2' for all files except hcdSaf .d and 'AoGd5' for 
hcdSaf .d. With speed-up, we use '-AoGcGdl.' 

(D) Progress of retrials of CSMA/CD mutual exclusion algorithm with a bug. In 
the CSMA/CD model, processes will try to resend the messages until they 
succeed in sending out the messages. We inserted a bug to the algorithm 
so that some processes may be trapped in an error mode with no outgoing 
transitions. We want to refute the property Vn(retry]^ — > V{>3z, transm;) 
that is not guaranteed in CSMA/CD with this bug. Here retry^ means that 
process i is waiting for resending its message. 

The input file names are like hcdierr2 . d where i is the number processes. 
For exact analysis, we use option '-Z.' For under-approximation, we use 
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options '-AoGdO (without the speed-up technique) and '-AoGcGdO' (with the 
speed-up technique). 

(E) Vacuity of a strong fairness assumption in FDDI token ring protocol. We 
want to check whether there is a run along which a station enters the asyn- 
chronous transmission mode infinitely many times. That is BDOasynCj^. 
The input file names are like hddiiaeo . d where i is the number processes. 
For exact analysis, we use option '-Z.' For under-approximation, we use 
options '-AuGdl (without the speed-up technique) and '-AuGcGdl' (with the 
speed-up technique). 

(F) Strong fairness for the lowest priority in PATHOS real-time operating sys- 
tem scheduling policy. PATHOS is a real-time operating system that uses 
priority scheduling policy. In a system of n processes, the model assumes that 
in each period of n time units, each process will need at most 1 time units to 
run on the CPU. We want to refute the specification that the lowest-priority 
process gets to run on the CPU infinitely often along any computation. That 
is, VOOrurin. 

The input file names are like pathosiaao . d where i is the number processes. 
For exact analysis, we use option '-Z.' For under-approximation, we use 
options '-AoGdO (without the speed-up technique) and '-AoGcGdO' (with the 
speed-up technique). 
(G-0) Various properties of Bluetooth L2CAP. We have also checked 9 prop- 
erties against Bluetooth L2CAP []. The L2CAP model is refined from the 
one in []. There are 9 processes to model the users, L2CAP layers, timers, 
and the medium in the two sides of the communications. We checked the 
model against the following the following 9 properties. For convenience, we 
use '(a),' '(/?),' and '(7)' to represent the following properties respectively: 
(a): the master L2CAP is in state 'W4_L2CAP_CONNECT.RSP; (/3): the 
master L2CAP is in state 'W4.L2CA_CONNECT_RSP; and (7): the master 
L2CAP is in state 'OPEN.' The nine properties and their input file names 
are labeled as follows: 



Labels 


properties 


input file name 


(G) 


vn((a) ^ 


V0(7)) 


12nae . d 


(H) 


vn((a) ^ 


V0°°(7)) 


12nao.d 


(I) 


vn((a) ^ 


vn(7)) 


12nag.d 


(J) 


vn((a) ^ 


V0((/3)AV0(7))) 


12naeae . d 


(K) 


vn((a) ^ 


V0((/3)AV0°°(7))) 


12naeao . d 


(L) 


vn((a) ^ 


V0((/3)AVn(7))) 


12naeag.d 


(M) 


vn((a) ^ 


vn((/3) ^ V0(7))) 


12nagae . d 


(N) 


vn((a) ^ 


Vn((/3)^V0°°(7))) 


12nagao . d 


(0) 


vn((a) 


vn((/3) ^ vn(7))) 


12nagag.d 



For exact analysis, we use option '-Z.' For under-approximation, we use 
options '-AoGdO (without the speed-up technique) and '-AoGcGdO' (with the 
speed-up technique). 
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